Minding the gaps to protect industrial PLCs from cyber threats

Times have changed dramatically since the first programmable logic controllers (PLCs) found their way onto factory floors to control and automate manufacturing and industrial processes. One of the biggest changes is the advent of the Internet, which changed available communication technologies from Profibus, a protocol gateway that directly connects PLCs to the machinery they control, to Profinet, an Ethernet-based industrial communication system that provides faster real-time communication and can interconnect network devices to the Internet.

PLCs, designed to control machinery and specific processes, were never built with cybersecurity threats in mind. Protecting PLCs against these threats requires healthy isolation from the World Wide Web.

With the change in how industrial machines communicate within a network came new risks. Systems that were isolated in the past are now visible on the Internet. This can be compared to public transport, whereby people are not operating in isolation anymore, but relying on public exposure to travel.

Operational Technology (OT) networks have always been designed and configured in a flat and unsegmented configuration, where all the OT devices are all connected on the same network. When OT networks run unsegmented alongside Information Technology (IT) networks, which also use Ethernet connections, disparate systems like Payroll systems and PLC systems can be accessed from the same network. If an IT network is infected with malware, the manufacturing operation’s OT network is exposed to the same malware. OT networks should, therefore, be isolated from IT networks in the fundamental planning of an organisation’s OT infrastructure.

This is where air-gapping comes in. Air-gapping is part of the actual set-up of a network, where a secure network is physically separated from an unsecured one. Clear separation between critical and non-critical systems can limit the impact of a breach and makes it possible to apply appropriate security controls. For example, non-critical systems can have access to view information on critical systems, but not necessarily make changes.

“Air-gapping within OT networks, where you isolate your PLC environment from the rest of your systems, is the modern way of doing it. When done effectively, air-gapping makes it possible to allow interplay between systems, but there are healthy boundaries to keep your PLC environment safe from the types of cyber threats that afflict IT.

“For instance, industrial control systems, including those that many PLCs integrate with, use Microsoft Windows, which opens up the same risks to the PLC system as those affecting PCs. Yet traditional software security tools are not effective enough in protecting PLCs.

“The Stuxnet case study was a wake-up call for the industry and made role players in the industry realise there are risks of additional threats when exposing production processes to the Internet, and that small changes can have a big impact.

“Other malware is designed specifically to target PLCs. The malicious Stuxnet worm, for example, was designed to target industrial PLCs, ultimately modifying the codes and giving unexpected commands to the control system with far-reaching consequences. It can cost money, downtime, reputational damage, and even lives.”1.

“In a water plant, if a PLC goes haywire because of being compromised, water quality can be impacted and as a result, affect thousands of lives. In Iran, the Stuxnet virus made a small modification to a PLC environment and forced a complete shutdown of this uranium enrichment plant.”2.

“By implementing an effective PLC security strategy, which includes air-gapping in the correct areas, identity and access management, and asset discovery, you can mitigate these risks and avoid setbacks and costly downtime,” says Charl Ueckermann, CEO at AVeS Cyber Security.

He explains: “In the old days, companies had proprietary protocols in terms of how they ran productions. Those were well-networked protocols, and they were isolated from IT-based cyber environments. To create efficiencies, do better Just-In-Time manufacturing, eliminate waste, reduce working capital and provide instant information, it became necessary to get PLCs connected via Ethernet, which means there is a high level of connectivity between cyber systems and PLCs nowadays.

“The problem lies in the way in which communication channels have been opened up between OT networks, IT networks and the Internet. There is a lack of proper segregation, adequate VLANs aren’t created, and often a firewall or two is slapped into the mix. This means that there are rivers of information rushing together and they really should run separately so that one cannot infect the other.

“Complete isolation is not the solution. That would be like having all the doors to a shopping centre locked, stopping everyone from entering, including customers. Instead, you want to control access, allowing customers in and unwanted ‘guests’ out.

“Similarly, you want to be able to inspect and control the nature of traffic going into and out of OT environments, as well as between different PLCs, so that the business still benefits from connectivity between them without exposing systems to unwanted risk.

“When it comes to identity and access control, you should define exactly who is allowed into the environment, what time frames they are permitted access, and what they can work on while they are there. This is most certainly one of the highest-ranking priorities in the PLC security plan.”

The first step, however, should be a cybersecurity vulnerability assessment. Modern manufacturers need to understand where all their PLC data resides and how people connect to that data. In a manufacturing environment, there will typically be different PLCs in different parts of the organisation, factory or mine, and these are interlinked. 

It is essential to know how they are exposed to other computers that have connectivity to the Internet as these create open gateways for industrial cyber threats. This includes all Internet-connected devices, even smartphones that employees might be plugging into their computers to charge during their day at work.

Once companies have a comprehensive understanding of the environment and how the different network areas are connected, it becomes necessary to call on technology to assist with controlling access to the environment’s systems, which includes physical and digital assets, as well as put processes in place to protect data. Ongoing monitoring solutions are also needed to maintain visibility of the data flowing between and in and out of the various environments.

Not all threats and attacks occur from the outside, which is why Ueckermann stresses that in addition to effective policies, procedures and technologies, companies need to put their employees through security awareness and training.

“People need to be critically aware of their associated responsibilities in protecting the organisation against malware or cybercrime, for that matter. In a typical manufacturing environment, employees are required to go through proper health and safety induction. Likewise, they should be required to undergo a cybersecurity induction because when it comes to PLCs that can behave erratically and dangerously if they are compromised, lives are at stake.”

References:

1. Fruhlinger, J. (2017, 08 22). What is Stuxnet, who created it and how does it work? Retrieved from CSO: https://www.csoonline.com/article/3218104/what-is-stuxnet-who-created-it-and-how-does-it-work.html
2. Kelly, M. B. (2012, 04 13). The Stuxnet Virus At Iran's Nuclear Facility Was Planted By An Iranian Double Agent. Retrieved from Business Insider: https://www.businessinsider.com/stuxnet-virus-planted-by-iranian-double-agent-2012-4?IR=T